Remote Assistance Scripted

Anyone know why this wouldn't work...I'm trying to activate Remote Assistance:
 

     ' Group Policy Settings
     Dim objShell, RegLocate, RegLocate1
     Set objShell = WScript.CreateObject("WScript.Shell")
     On Error Resume Next
     objShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections","0","REG_DWORD"
     objShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\AllowTSConnections","1","REG_DWORD"
     objShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\fAllowToGetHelp","1","REG_DWORD"
     objShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fAllowFullControl","1","REG_DWORD"
     objShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fAllowToGetHelp","1","REG_DWORD"
     objShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fAllowUnsolicited","1","REG_DWORD"
     objShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fAllowUnsolicitedFullControl","1","REG_DWORD"
     objShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fUseMailto","1","REG_DWORD"
     objShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\MaxTicketExpiry","1","REG_DWORD"
     objShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\MaxTicketExpiryUnits","1","REG_DWORD"
     ' Add the "helpers"
     objShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit\CAMPTECH","CAMPTECH","REG_SZ"
     'done with registry settings

 
Looking in regedit it looks like the registry settings are correct, but if I go to the Group Policy console (gredit.msc) and browse to Administrative Templates -> System -> Remote Assistance they still show as "Not configured"
 
???

That is correct.  The policy is applied to a system, it doesn't query or care what the local settings are.

Shouldn't you simply apply a group policy to adjust this? Why go outside the GPO system at all?

I agree with you ebGreen, if the setting that you want set are in policy, you shouldn't be using a script, nor local policy, but Group Policy.

rasimmer


I agree with you ebGreen, if the setting that you want set are in policy, you shouldn't be using a script, nor local policy, but Group Policy.

Is this assuming a windows ad is present? Because we do not have one.
 
I guess I don't understand how group policy settings work. Can a group policy not be scripted? These are the same registry settings that are changed when you use the Group Policy console to turn Remote Assistance on...

Yes, you could script it, but we were questioning why you would do that if you had GPO available.  Policy is processed when

• Computer Policy - When the computer is starting before the CTRL+ALT+DEL screen (executed as SYSTEM)
• User Policy - When the user is logging into the computer (executed as the USER)

The policy is not indicating WHAT setting are set, but the setting that you WANT set.

(http://technet.microsoft.com/en-us/library/cc779838(WS.10).aspx)

The local Group Policy object (local GPO) is stored on each individual computer, in the hidden %systemroot%\System32\GroupPolicy directory. Each computer running Windows 2000, Windows XP Professional, Windows XP 64-Bit Edition, Windows XP Media Center Edition, or Windows Server 2003 has exactly one local GPO, regardless of whether the computers are part of an Active Directory environment.
Local GPOs do not support certain extensions, such as Folder Redirection or Group Policy Software Installation. Local GPOs do support many security settings, but the Security Settings extension of Group Policy Object Editor does not support remote management of local GPOs. Local GPOs are always processed, but are the least influential GPOs in an Active Directory environment, because Active Directory-based GPOs have precedence.
Although you can configure local GPOs on individual computers, the full power of Group Policy can only be realized in a Windows Server network with Active Directory installed. In addition, some features and Group Policy settings require client computers running Windows XP.

We wanted a script to enable it because we have 700+ PC's that we want to turn this on. We figured we would vbscript it so we could activate it on demand (send the user a link), and also make it easy for our tech folks to change these settings (instead of having to go to Group Policy console, they can jsut run a script).

So these Group Policy settings are not stored in the registry then, but in a plain text file?

VBean


We wanted a script to enable it because we have 700+ PC's that we want to turn this on. We figured we would vbscript it so we could activate it on demand (send the user a link), and also make it easy for our tech folks to change these settings (instead of having to go to Group Policy console, they can jsut run a script).

So these Group Policy settings are not stored in the registry then, but in a plain text file?

Just wondering why you aren't then writing and *.adm file with the settings?

pinkwho

VBean


We wanted a script to enable it because we have 700+ PC's that we want to turn this on. We figured we would vbscript it so we could activate it on demand (send the user a link), and also make it easy for our tech folks to change these settings (instead of having to go to Group Policy console, they can jsut run a script).

So these Group Policy settings are not stored in the registry then, but in a plain text file?

Just wondering why you aren't then writing and *.adm file with the settings?

Sorry, not sure what an .adm file is...????

Well it seems many have missed the fact that you stated you did NOT have AD in your environment. 

Back to your issue...your registry changes will not reflect in the local policy as stated...but have you actually tested to see if the registry changes you made enable remote assistance rather than worrying if the local policy reflects your changes?

dm_4ever


Well it seems many have missed the fact that you stated you did NOT have AD in your environment. 

Back to your issue...your registry changes will not reflect in the local policy as stated...but have you actually tested to see if the registry changes you made enable remote assistance rather than worrying if the local policy reflects your changes?

Yes, we have tried. The registery settings do change, but the RA group policy does not. So I can see in regedit the exact settings needed for it to be enabled, but when I go to gpedit.msc and look under Admin Templates -> System -> Remote Assistance the settings still say "Not configured" and RA still does not work.
 

Forget about policy.  You just want a script to enable Remote Assistance.  So, the registry settings you believe are required to enable RA are enabled, but RA does not work.  What doesn't work?  Have you verified the users\groups in Remote Desktop Users?  Let's concentrate on what is not working in the script and the errors\issues you are seeing.  

rasimmer

What doesn't work? 

When we try to "Offer" assistance to the test PC we get the message:
 
"Access to the requested resource has been disabled by your administrator"
 

rasimmer

Have you verified the users\groups in Remote Desktop Users?

I'm not sure that anything needs to be changed in the Remote Desktop Users group. We haven't had to make any changes at all here in our testing. (In our testing we made firewall exceptions plus the gp settings changes manually, and RA works)
 
Certainly willing to entertain ideas....

One thing we do here when enabling remote desktop via a remote connections (generally through RegEdit) a reboot is required before it will work.  I don;t know if the same is required for Remote Assistance but I would assume so.

Now, it may also be that your GPO disables this functionality and that whenever it refreshes on the machine, it undoes your changes.  If that is the case, the PCs where RA is needed, they would need to be put in an OU granting access.

This is just speculation.